No DC’s are specified, but you’d think that’s OK. After all, you told the AD plugin what the DC’s were with the -add flag. It should be able to figure them out from the “ad.mycompany.com”, right?

Wrong. While third-party solutions like ADmitMac and Centrify can figure out DC’s from the supplied domain, Apple’s AD plugin cannot.

Worse, if you omit the explicit DC specification, the AD plugin won’t tell you. It will try for a while to bind, and eventually you’ll get an error, but it will be a “(10001) failure”, not something useful like “DC not specified”. And it will be at the end of a very long log of bind attempts (assuming you turned on debug logging).